#238, was: #328: user Intervention on Redirects from Julian Reschke on 2012-02-07 (ietf-http-wg@w3.org from January to March 2012)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 07 Feb 2012 21:15:41 +0100
To: Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4F31866D.4050709@gmx.de>

On 2012-02-07 00:55, Mark Nottingham wrote:
> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/238>

(changed subject line accordingly)

>> The redirect status codes define requirements for user intervention; e.g.,
>>
>> If the 301 status code is received in response to a request method that is known to be "safe", as defined in Section 7.1.1, then the request MAY be automatically redirected by the user agent without confirmation. Otherwise, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.
>>
>> However, this requirement is not often implemented by UAs.
>
>
> I'm now wondering if we should consider removing this requirement altogether.
>
> The way it's structured now, the requirement associates intent with a URI, when in reality intent is associated with the UI; the user is blissfully unaware of the actual resource being manipulated.
>
> More to the point, there's little to no difference between an HTML form POSTing somewhere and getting redirected somewhere else to the form just using the second URI in the first place.
>
> I think this requirement is well-intentioned, but the threat model of the Web has changed significantly since it was written.
>
> Thoughts?
> ...

Here's a proposal that removes the normative requirement, refactors the 
text to say things only once, but keeps a warning.

In the 3xx Introduction, say:

    Note that for methods not known to be "safe", as defined in
    Section 6.1.1, automatic redirection needs to done with care, since
    the redirect might change the conditions under which the request was
    issued.

In the description for 301 remove:

    If the 301 status code is received in response to a request method
    that is known to be "safe", as defined in Section 6.1.1, then the
    request MAY be automatically redirected by the user agent without
    confirmation.  Otherwise, the user agent MUST NOT automatically
    redirect the request unless it can be confirmed by the user, since
    this might change the conditions under which the request was issued.

dito for 302 and 307.

Proposed patch: 
<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/238/238.diff>

Best regards, Julian

Received on Tuesday, 7 February 2012 20:19:05 UTC